System and method for enforcing security policies in a virtual environment

ABSTRACT

A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

RELATED APPLICATION

This Application is a continuation (and claims the benefit of priorityunder 35 U.S.C. §120) of U.S. application Ser. No. 12/545,609, filedAug. 21, 2009, entitled “SYSTEM AND METHOD FOR ENFORCING SECURITYPOLICIES IN A VIRTUAL ENVIRONMENT,” Inventor(s) Amit Dang, et al. Thedisclosure of the prior application is considered part of (and isincorporated by reference in) the disclosure of this application.

TECHNICAL FIELD

This disclosure relates in general to the field of security and, moreparticularly, to enforcing security policies in a virtual environment.

BACKGROUND

The field of network security has become increasingly important intoday's society. In particular, the ability to effectively protectcomputers and systems presents a significant obstacle for componentmanufacturers, system designers, and network operators. This obstacle ismade even more difficult due to the plethora of new security threats,which seem to evolve daily. Virtualization is a software technologyallowing an operating system to run unmodified on an isolated virtualenvironment (typically referred to as a virtual machine), where aplatform's physical characteristics and behaviors are reproduced. Morespecifically, a virtual machine can represent an isolated, virtualenvironment (lying on top of a host operating system (OS)) and equippedwith virtual hardware (processor, memory, disks, network interfaces,etc.). Commonly, the virtual machine is managed by a virtualizationproduct. A virtual machine monitor (VMM) is the virtualization softwarelayer that manages hardware requests from a guest OS (e.g., simulatinganswers from real hardware). A hypervisor is computer software/hardwareplatform virtualization software that allows multiple operating systemsto run on a host computer concurrently. Both Xen and Hypervisorrepresent forms of VMMs and these VMMs can be exploited to betterprotect computers and systems from emerging security threats.

BRIEF DESCRIPTION OF THE DRAWINGS

To provide a more complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying figures, whereinlike reference numerals represent like parts, in which:

FIG. 1 is a simplified block diagram of a system for enforcing securitypolicies in a privileged domain of a virtual environment in accordancewith one embodiment;

FIG. 2 is a simplified view of processor privilege level ring usage inaccordance with one embodiment;

FIG. 3 is a simplified block diagram of a system for enforcing securitypolicies in a privileged domain of a virtual environment in accordancewith another embodiment;

FIG. 4 is a simplified block diagram providing an overview of componentsand processes in Domain 0 and, further, their interactions with avirtual machine monitor in accordance with another embodiment; and

FIG. 5 is a simplified flowchart illustrating a series of example stepsassociated with the system in accordance with one embodiment.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

A method in one example implementation includes intercepting a requestassociated with an execution of an object (e.g., a kernel module or abinary) in a computer configured to operate in a virtual machineenvironment. The request for the execution is associated with aprivileged domain of the computer that operates logically below one ormore operating systems. The method also includes verifying anauthorization of the object by computing a checksum for the object andcomparing the checksum to a plurality of stored checksums in a memoryelement. The method further includes denying the execution of the objectif it is not authorized. In other embodiments, the method can includeevaluating a plurality of entries within the memory element of thecomputer, wherein the entries include authorized binaries and kernelmodules. In other embodiments, the method can include intercepting anattempt from a remote computer to execute code from a previouslyauthorized binary, and evaluating an origination address of a hypercallassociated with the code before executing the code.

Example Embodiments

FIG. 1 is a simplified block diagram of a system 10 for enforcingsecurity policies in a privileged domain of a virtual environment. Suchan architecture can provide a secure environment for the execution ofoperations in the privileged domain, as well as in other guest operatingsystems. In one example implementation, FIG. 1 includes a user space 12,a kernel space 14, a virtual machine monitor 16, and a kernel module 20,which includes an inventory 24. Virtual machine monitor 16 may include amemory element 18 and a processor 22 in one example implementation. Inaddition, FIG. 1 may include a system call table 28, a managementinterface 40, and a control module 34, which includes an inventory 36. Asystem call 42 is also provided, and this element interfaces with aloading and routines element 30, which interacts with inventory 24. Notshown in FIG. 1 is additional hardware that may be suitably coupled tovirtual machine monitor (VMM) 16 (e.g., provided below its logicalrepresentation) in the form of memory management units (MMU), symmetricmultiprocessing (SMP) elements, physical memory, Ethernet, smallcomputer system interface (SCSI)/integrated drive electronics (IDE)elements, etc.

For purposes of illustrating the techniques of system 10, it isimportant to understand the activities occurring within a given virtualsystem. The following foundational information may be viewed as a basisfrom which the present disclosure may be properly explained. Suchinformation is offered earnestly for purposes of explanation only and,accordingly, should not be construed in any way to limit the broad scopeof the present disclosure and its potential applications. Virtualmachine monitors (e.g., Xen and HyperV) are hypervisors that currentlyfail to offer an interface to the end user to properly manage virtualmachines and guest operating system (OS) instances. As used herein inthis Specification, the term ‘virtual machine element’ is meant toinclude any such hypervisors, or other devices that operate in a virtualenvironment. It should also be noted that these hypervisor's fail tooffer suitable device drivers. Both of the above functionalities arecommonly provided by a special privileged domain/partition. Generally,these privileged domains can host device drivers and, further, providean interface for managing virtual machine monitor 16 and guest OSinstances.

Any grant of special privileges to a particular domain poses securityrisks for other guest OS instances. A compromised privileged domain canreadily degrade the security of all guest OS instances running on acomputer. In essence, hypervisors and privileged domains can unknowinglyengender new attack vectors that are not adequately protected by currentsecurity solutions. System 10 offers a viable architecture to thwartthese new categories of attacks, as well as other security riskspresented to a given computer.

Consider a first example in which some type of malware is attempting torun a kernel module, which is not authorized. A hypercall is a functionthat is generally used by a kernel module to interact with a virtualmachine. For example, a hypercall could be used by the kernel module toaccess specific areas of a given machine. The hypercall can shut downthe virtual machine and, in a worst-case scenario, control all the othervirtual machines to which it can communicate. Thus, the ability ofcertain code (e.g., in the form of a hypercall) to enter a certain spaceand to improperly manipulate the system is problematic.

The primary attack vectors that can compromise a privileged domaininclude: 1) execution of an unauthorized user binary(malware/virus)/kernel module; 2) execution of a vulnerable authorizedbinary; and 3) execution of unauthorized hypercalls. System 10 can beused to enforce security policies in the privileged domain. The presentdisclosure is directed towards securing privileged domains/partitions.In certain embodiments, the current disclosure works by inserting asecurity layer in the Domain 0 kernel, which protects: 1) againstexecution of unauthorized user space binaries/kernel module; and 2)against execution of vulnerable authorized binary.

The system can be configured to take a snapshot of all the validbinaries and kernel modules and store the information in a user spacedatabase/inventory. The kernel security layer (in Domain 0) canintercept a kernel module and binary load routine and, subsequently,fetch inventory data from the user space inventory. When a particularrequest for execution of a kernel module or of a binary occurs, anintercept function is invoked that checks for an authorization of theloaded module or binary. The intercepting function allows execution ofonly authorized binaries/modules. Note that in computing, an executable(file) causes a computer to perform indicated tasks according to encodedinstructions, as opposed to a file that only contains data. Files thatcontain instructions for an interpreter or virtual machine may beconsidered ‘executables’ or ‘binaries’ in contrast to program sourcecode. The more generic term ‘object’ (as used herein in thisSpecification) is meant to include any such executables, binaries,kernel modules, improper hypercalls, etc., which are sought to beinvoked, initiated, or otherwise executed.

The current disclosure also protects against execution of unauthorizedhypercalls if a currently running binary is exploited. This is importantbecause an attacker could use hypercalls to take over the entire virtualinfrastructure. In such an implementation, the security layer checks foran origination address of hypercalls. The security layer can randomizehypercalls such that only authorized binaries can invoke the appropriatehypercalls.

Note that no security solution exists that effectively protects theprivileged domain (Domain 0) as a special entity. Common solutions tothe issues detailed herein include security software that would normallyrun on a commodity operating system. Security of privileged domains isan area of active research; however, there is no solution available thatproactively protects the critical domains. System 10, by contrast, cantreat the privileged domain as special and protect it against the newattack vectors involved. This is in contrast to more generalizedsolutions, which do not specifically target protection for Domain 0.

Turning to the infrastructure of FIG. 1, virtual machine monitor 16 canrun multiple instances of guest OSs. Logically, this element can bethought of as the hypervisor in certain implementations. Virtual machinemonitor 16 can be part of a server, a firewall, an antivirus solution,or more generically, a computer. Kernel space 14 of the virtual machineis the area where a security layer can be inserted. In this particularcase, kernel space 14 is associated with Domain 0. An operating systemusually segregates virtual memory into kernel space and user space.Kernel space is commonly reserved for running a kernel, the kernelextensions, and certain device drivers. In contrast, user space is thememory area where user mode applications work and this memory can beswapped out (if necessary).

Each user space process normally runs in its own virtual memory spaceand, unless explicitly requested, does not access the memory of otherprocesses. This is the basis for memory protection in mainstreamoperating systems, and a building block for privilege separation. Inanother approach, a single address space for all software is used, wherethe programming language's virtual machine ensures that arbitrary memorycannot be accessed. Applications simply cannot acquire references to theobjects that they are not allowed to access.

Kernel module 20 represents the security layer in the Domain 0 kernel,which provides protection to the domain against unauthorized (andvulnerable authorized) binaries and kernel modules. In some attackscenarios, this can be the source of hypercalls. A hypercall is asoftware trap from a domain (e.g., Domain 0) to the hypervisor, just asa syscall is a software trap from an application to the kernel. Domainscan use hypercalls to request privileged operations like updating pagetables. Like a syscall, the hypercall is synchronous, where the returnpath from the hypervisor to the domain can employ event channels.

In one example implementation, virtual machine monitor 16 is a Xenelement, which is a hypervisor that runs on bare hardware and whichprovides the capability of running multiple instances of OSssimultaneously on the same hardware. A typical Xen setup may involve Xenrunning beneath multiple OSs, where applications are on top of the OSs,which are associated with a group of virtual machines. The entireconfiguration may be provided in a server (or some other networkappliance). One of the virtual machines can be running an OS associatedwith Domain 0. This VM (Dom 0) provides the user with the interface tomanage this complete setup, and also hosts the device drivers. Thismanagement includes the hypervisor configuration, VM configuration,creation, deletion, shutdown, startup, etc. of VMs. This kind of setupcan be popular in data centers where servers run Xen, which in turnhosts multiple instances of guest OSs (VMs). Each such server can haveone Domain 0. The features discussed herein can effectively secure thisDomain 0, as detailed below.

In most virtualization scenarios, one of the virtual elements isreferred to as Domain 0, and it has administrative authority to controlother virtual machines. This domain represents a privileged area and,therefore, it should be protected. In one example implementation,virtual machine monitor 16 is a Xen element configured to carry out someof the protection operations as outlined herein. Note that this Xenimplementation is only representing one possible example to which thepresent disclosure can apply. Any number of additional hypervisors orvirtual elements could similarly benefit from the broad teachingsdiscussed herein.

In one example, a hypervisor can offer tools and applications necessaryto support a complete virtualization environment. The hypervisor is thebasic abstraction layer of software that sits directly on the hardwarebelow operating systems. It is responsible for central processing unit(CPU) scheduling and memory partitioning of the various virtual machinesrunning on a hardware device. The hypervisor not only abstracts thehardware for the virtual machines, but also controls the execution ofvirtual machines as they share the common processing environment.

Inventory 24 represents a memory element (e.g., a database) that may beprovided in a security layer that keeps information about authorizedbinaries and kernel modules. System call table 28 is configured tointercept loading of modules and binaries in a given computer. Loadingroutines module 30 provides functionality for hooked routines, which canperform a check on each kernel module and binary. Control module 34offers control for the security layer in user space 12. Control module34 may include inventory 36, which represents user space inventory thatgets pushed to the kernel security layer. Both instances of inventory 24and 36 may be updated, and/or suitably modified based on systematicconfigurations, or events that trigger a change to either of theseinventories. Management interface 40 can be configured to control thebehavior of a security agent, which is relegated the task of protectinga computer.

In operation of a simple example, a loadable kernel module (LKM)represents a system commonly used by Linux (as well as some other modernoperating systems) to allow the linking of object code into a runningkernel without interrupting system traffic. At a fundamental level, anobject is compiled to a re-locatable object (.o) file, loaded using‘insmod’ under Linux, and removed using ‘rmmod’. Linux also supportsdemand loading of modules using ‘kerneld’ (now kmod).

Once ‘insmod’ is called, the module is linked into the running systemkernel and the function init_module ( ) is called. All modules shouldcontain this function, as well as a cleanup_module ( ), which is calledat unloading. The purpose of the init_module ( ) is to register thefunctions contained within the module to handle system events, such asto operate as device drivers or interrupt handlers. The actionsperformed by insmod are similar to that of ‘Id’, for example, in regardsto linkage.

In this example, when a request to run a binary or kernel module isintercepted, it is checked to see whether it is authorized. For example,a security agent (e.g., a piece of software running in Domain 0) can beconfigured to compute checksums in order to validate whether a givenelement (i.e., a binary or a kernel module) is authorized for theparticular system. This may include look up operations in which storedinventories are compared against a new request for binaries or kernelmodules in order to discern whether to allow these elements to beexecuted. Thus, the comparison is being made against internally storeditems.

The interaction in the architecture of FIG. 1 occurs between system call42 and loading routines module 30, where a checksum is computed andlooked up in an associated inventory. If the checksum is found, then therequest is authorized (e.g., ‘return original init [initiate] module’),but if the request is not authorized, then an ‘EPERM’ command is sent,which indicates that the operation is not permitted. More detailedoperations associated with these activities are provided below withreference to specific example flows.

Turning to FIG. 2, FIG. 2 is a simplified schematic diagram illustratinga hierarchy 50 of domains within a given computer. More specifically,FIG. 2 depicts a processor privilege level ring usage (x86) inaccordance with one embodiment. This ring usage can be associated with apara virtualized system, where a Xen VMM runs in Ring 0, Domain 0, andother guest OS kernels run in Ring 1 and Domain 0 (and additional guestOS user space applications can run in Ring 3). Note that the Ringscorrespond to specific domains in this illustration such that the mostprivileged domain is represented By Ring 0 (i.e., Domain 0). This isassociated with virtual machine monitor 16, where a guest operatingsystem corresponds to Ring 1, and applications correspond to Ring 2and/or Ring 3. It should also be noted that hypercalls could easily jumpto virtual machine monitor 16, or Ring 0, which is problematic for thereasons discussed herein.

Domain 0, a modified Linux kernel, is a unique virtual machine runningon the hypervisor that has special rights to access physical I/Oresources, as well as interact with the other virtual machines (DomainU: PV and HVM Guests) running on the system. Domain 0 is the firstdomain launched when the system is booted, and it can be used to createand configure all other regular guest domains. Domain 0 is alsosometimes called Dom0 and, similarly, a regular guest domain is called aDomU or unprivileged domain. Virtualization environments can requireDomain 0 to be running before other virtual machines can be started. Twodrivers are generally included in Domain 0 to support network and localdisk requests from Domain U PV and HVM Guests: the Network BackendDriver and the Block Backend Driver. The Network Backend Drivercommunicates directly with the local networking hardware to process allvirtual machines requests coming from the Domain U guests. The BlockBackend Driver communicates with the local storage disk to read andwrite data from the drive based upon Domain U requests.

Thus, a given hypervisor is not alone in its task of administering theguest domains on the system. A special privileged domain (Domain 0)serves as an administrative interface to Xen. Domain 0 has directphysical access to hardware, and it exports the simplified generic classdevices to each DomU. Rather than emulating the actual physical devicesexactly, the hypervisor exposes idealized devices. For example, theguest domain views the network card as a generic network class device orthe disk as a generic block class device. Domain 0 runs a device driverspecific to each actual physical device and then communicates with otherguest domains through an asynchronous shared memory transport.

Domain 0 can also delegate responsibility for a particular device toanother domain. A driver domain is a DomU that runs a minimal kernel andthe backend for a particular device. This has the advantage of movingthe complexity and risk of device management out of the Domain 0. Movingdevice management to driver domains can make the system more stablebecause hardware drivers are notoriously the most error-prone code in anoperating system. A driver domain could be stopped and restarted torecover from an error, while stopping and restarting Domain 0 candisrupt the entire system.

As a general proposition, a smaller and simpler Domain 0 is better forthe security and stability of the system. Moving device management intodriver domains is just one example of this. Although Domain 0 typicallyruns a general-purpose operating system, it is wise to use Domain 0strictly for the administration of virtual machines on the system. Allother applications can be run in a guest domain. Overall, a bare-bonesDomain 0 is less vulnerable to attack or accidental software fault.

FIG. 3 is a simplified block diagram of an LKM authenticationimplementation 60 in accordance with one example of the presentdisclosure. FIG. 3 includes many of the same components as FIG. 1, withthe addition of a filename based inventory 52 and a checksum basedinventory (LKM) 54. In addition, a logical representation of aninventory entry 56 is depicted. Inventory entry 56 includes variousfields including a filename, a checksum, an LKM, etc.

As discussed above, there are several Domain 0 security issues in such ascenario. These include unauthorized binary execution, or thepropagation of malware capable of modifying the VM state (e.g., viaioctl). Another security risk is presented by the remote code injectionin authorized binary to modify the VM state (e.g., via ioctl). Note thatin computing, an ioctl is typically the part of the user-to-kernelinterface of an operating system. The acronym is short for “Input/outputcontrol,” where ioctls are commonly employed to allow user space code tocommunicate with hardware devices or kernel components. The other threatin such a scenario involves an unauthorized Linux kernel module (e.g., ahypercall). The architecture of FIG. 3 may operate to protect Domain 0in the following ways. First, the architecture can prevent any executionof unauthorized binaries. Second, the architecture can prevent an ioctlfrom a writable memory area (e.g., in the context of a buffer overflowattack). In addition, the architecture can protect the system byallowing only authorized LKMs to load.

FIG. 4 is a simplified block diagram of an exploit preventionimplementation 62 in accordance with one example of the presentdisclosure. FIG. 4 depicts an overview of components and processes inDomain 0 and, further, their interactions with a virtual machine monitor(e.g., a Xen VMM). The architecture of FIG. 4 includes a user space 64,a kernel space 66, and a virtual machine monitor 68. The operations ofthis particular architecture are akin to those outlined herein inprotecting an associated system from unauthorized kernel modules orbinaries being run, for example, through malware.

Xend shown in FIG. 4 is a special process (e.g., a daemon) that runs asroot in Domain 0. It is a part of the Xen system, where users typicallyinterface with xend via the Xen Management (xm) commands. Xm commands tostart, stop, and manage guest domains send requests to the xend daemonfirst, which are in turn relayed to the Xen hypervisor via a hypercall.Commonly, the xend daemon listens for requests on an open network port.The xm commands typically send requests to the listening xend daemon onthe same machine. Xm is in the user interface and xend handles thevalidation and sequencing of requests from multiple sources. The Xenhypervisor carries out the request in most implementations. In thisexample, an ioctl system call is intercepted and evaluated. If the EIPaddress is from a writable region, the system call is failed and notperformed.

Software for intercepting unauthorized binaries and kernel modules (aswell as inhibiting dangerous code from being executed for alreadyrunning binaries) can be provided at various locations. In one exampleimplementation, this software is resident in a computer sought to beprotected from a security attack (or protected from unwanted, orunauthorized manipulations of a privileged area). In a more detailedconfiguration, this software is specifically resident in Domain 0. Oneimplementation involves providing in a security layer of a virtualmachine monitor, which may include (or otherwise interface with) akernel space and a user space, as depicted by FIG. 1.

In still other embodiments, software could be received or downloadedfrom a web server (e.g., in the context of purchasing individualend-user licenses for separate devices, separate virtual machines,hypervisors, servers, etc.) in order to carry out these intercepting andauthorizing functions in Domain 0. In other examples, the interceptingand authorizing functions could involve a proprietary element (e.g., aspart of an antivirus solution), which could be provided in (or beproximate to) these identified elements, or be provided in any otherdevice, server, network appliance, console, firewall, switch,information technology (IT) device, etc., or be provided as acomplementary solution (e.g., in conjunction with a firewall), orprovisioned somewhere in the network. As used herein in thisSpecification, the term ‘computer’ is meant to encompass these possibleelements (VMMs, hypervisors, Xen devices, virtual devices, networkappliances, routers, switches, gateway, processors, servers,loadbalancers, firewalls, or any other suitable device, component,element, or object) operable to affect or process electronic informationin a security environment. Moreover, this computer may include anysuitable hardware, software, components, modules, interfaces, or objectsthat facilitate the operations thereof. This may be inclusive ofappropriate algorithms and communication protocols that allow for theeffective authorization of kernel modules, binaries, etc. In addition,the intercepting and authorizing functions can be consolidated in anysuitable manner. Along similar design alternatives, any of theillustrated modules and components of FIGS. 1, 3, and 4 may be combinedin various possible configurations: all of which are clearly within thebroad scope of this Specification.

In certain example implementations, the intercepting and authorizingfunctions outlined herein may be implemented by logic encoded in one ormore tangible media (e.g., embedded logic provided in an applicationspecific integrated circuit (ASIC), digital signal processor (DSP)instructions, software (potentially inclusive of object code and sourcecode) to be executed by a processor, or other similar machine, etc.). Insome of these instances, a memory element (as shown in FIG. 1) can storedata used for the operations described herein. This includes the memoryelement being able to store software, logic, code, or processorinstructions that are executed to carry out the activities described inthis Specification. A processor can execute any type of instructionsassociated with the data to achieve the operations detailed herein inthis Specification. In one example, the processor (as shown in theFIGURES) could transform an element or an article (e.g., data) from onestate or thing to another state or thing. In another example, theactivities outlined herein may be implemented with fixed logic orprogrammable logic (e.g., software/computer instructions executed by aprocessor) and the elements identified herein could be some type of aprogrammable processor, programmable digital logic (e.g., a fieldprogrammable gate array (FPGA), an erasable programmable read onlymemory (EPROM), an electrically erasable programmable ROM (EEPROM)) oran ASIC that includes digital logic, software, code, electronicinstructions, or any suitable combination thereof.

Any of these elements (e.g., a computer, a server, a network appliance,a firewall, a virtual machine element, etc.) can include memory elementsfor storing information to be used in achieving the intercepting andauthorizing operations as outlined herein. Additionally, each of thesedevices may include a processor that can execute software or analgorithm to perform the intercepting and authorizing activities asdiscussed in this Specification. These devices may further keepinformation in any suitable memory element (random access memory (RAM),ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in any othersuitable component, device, element, or object where appropriate andbased on particular needs. Any of the memory items discussed herein(e.g., inventory, table(s), user space, kernel space, etc.) should beconstrued as being encompassed within the broad term ‘memory element.’Similarly, any of the potential processing elements, modules, andmachines described in this Specification should be construed as beingencompassed within the broad term ‘processor.’ Each of the computers,network appliances, virtual elements, etc. can also include suitableinterfaces for receiving, transmitting, and/or otherwise communicatingdata or information in a secure environment.

FIG. 5 is a flowchart 100 illustrating how security agents can providesecurity to Domain 0 in accordance with one example embodiment. The flowbegins at step 110, where a security agent is installed in Domain 0 ofthe virtual machine monitor. This initiates the security protectionbeing provided for a given system. At step 120, a system snapshot isperformed using the security agent. This could involve evaluating anumber of entries in the system's inventory such that authorizedelements (binaries, kernel modules, etc.) are identified for futurereference. At step 130, the security agent is enabled and this couldfurther involve one or more commands that initiate the protectionmechanism.

Step 140 represents copying of an unauthorized binary on Domain 0. Thesecurity agent is configured to compute checksums in order to validatewhether a given element (a binary or kernel module) is authorized forthe particular system. These activities may include look up operationsin which stored inventories are compared against new requests forbinaries or kernel modules in order to discern whether to allow theseelements to be executed. Thus, the comparison is being made againststored items.

At step 150, the query is answered as to whether this particular binaryhas been authorized. If it has not been authorized, the flow moves tostep 160 where execution of the binary is denied. In such a context, aninference can be made that if the lookup reveals that the particularbinary is not found, then the request is presumed to be a security riskthat should not be executed. If the binary is authorized, then from step150 the flow moves to step 170, where execution of the binary isallowed.

Note that with the examples provided herein, interaction may bedescribed in terms of two, three, four, or more network elements.However, this has been done for purposes of clarity and example only. Incertain cases, it may be easier to describe one or more of thefunctionalities of a given set of flows by only referencing a limitednumber of components or network elements. It should be appreciated thatsystem 10 of FIG. 1 (and its teachings) is readily scalable. System 10can accommodate a large number of components, as well as morecomplicated or sophisticated arrangements and configurations.Accordingly, the examples provided should not limit the scope or inhibitthe broad teachings of system 10 as potentially applied to a myriad ofother architectures. In addition, system 10 has been described herein asoperating on particular Xen architectures; however, other systems canreadily be accommodated by the present solution.

It is also important to note that the steps described with reference tothe preceding FIGURES illustrate only some of the possible scenariosthat may be executed by, or within, system 10. Some of these steps maybe deleted or removed where appropriate, or these steps may be modifiedor changed considerably without departing from the scope of thediscussed concepts. In addition, a number of these operations have beendescribed as being executed concurrently with, or in parallel to, one ormore additional operations. However, the timing of these operations maybe altered considerably. The preceding operational flows have beenoffered for purposes of example and discussion. Substantial flexibilityis provided by system 10 in that any suitable arrangements,chronologies, configurations, and timing mechanisms may be providedwithout departing from the teachings of the discussed concepts.

What is claimed is:
 1. A method, comprising: intercepting, by a securitylayer, a request for an execution of an object in a computer wherein therequest for the execution is from a user space of a privileged domain;verifying an authorization of the object by linking a particular moduleinto a kernel space associated with the privileged domain, wherein theparticular module is configured to compute a checksum for the object,access an inventory of a plurality of stored checksums in a memoryelement, and compare the checksum to the plurality of stored checksums;and denying the execution of the object if it is not authorized; whereinthe security layer is in a kernel of a privileged domain of a computerconfigured to operate in a virtual machine environment, wherein theprivileged domain of the computer manages a virtual machine monitor(VMM) and operates at a higher priority than one or more guest operatingsystems.
 2. The method of claim 1, further comprising: evaluating aplurality of entries within the memory element of the computer, whereinthe entries include authorized binaries and kernel modules.
 3. Themethod of claim 1, further comprising: intercepting an attempt from aremote computer to execute code from a previously authorized binary; andevaluating an origination address of a hypercall associated with thecode before executing the code.
 4. The method of claim 1, wherein theobject is a kernel module or a binary.
 5. The method of claim 1, whereinthe verifying of the authorization of the object includes comparing theobject to an inventory of authorized objects stored in a user space ofthe computer, and wherein a log is created if the execution of theobject is not authorized.
 6. The method of claim 1, wherein the objectis a kernel module that is interacting with a hypercall, which attemptsto access one or more privileged domain areas within the computer.
 7. Alogic encoded in one or more tangible non-transitory media that includescode for execution and when executed by a processor is operable toperform operations comprising: intercepting, by a security layer, arequest for an execution of an object in a computer wherein the requestfor the execution is from a user space of a privileged domain; verifyingan authorization of the object by linking a particular module into akernel space associated with the privileged domain, wherein theparticular module is configured to compute a checksum for the object,access an inventory of a plurality of stored checksums in a memoryelement, and compare the checksum to the plurality of stored checksums;and denying the execution of the object if it is not authorized; whereinthe security layer is configured to operate in a kernel of a privilegeddomain of a computer configured to operate in a virtual machineenvironment, wherein the privileged domain of the computer is configuredto manage a virtual machine monitor (VMM) and operate at a higherpriority than one or more guest operating systems.
 8. The logic of claim7, the processor being operable to perform operations comprising:evaluating a plurality of entries within the memory element of thecomputer, wherein the entries include authorized binaries and kernelmodules.
 9. The logic of claim 7, the processor being operable toperform operations comprising: intercepting an attempt from a remotecomputer to execute code from a previously authorized binary; andevaluating an origination address of a hypercall associated with thecode before executing the code.
 10. The logic of claim 7, wherein theobject is a kernel module or a binary.
 11. The logic of claim 7, whereinthe object is a kernel module that is interacting with a hypercall,which attempts to access one or more privileged domain areas within thecomputer.
 12. The logic of claim 7, wherein the verifying of theauthorization of the object includes comparing the object to aninventory of authorized objects stored in a user space of the computer,and wherein a log is created if the execution of the object is notauthorized.
 13. An apparatus, comprising: a virtual machine element; amemory element configured to store data; and a processor operable toexecute instructions associated with the data, wherein the virtualmachine element is configured to: intercept, by a security layer, arequest for an execution of an object in a computer wherein the requestfor the execution is from a user space of a privileged domain; verify anauthorization of the object by linking a particular module into a kernelspace associated with the privileged domain, wherein the particularmodule is configured to compute a checksum for the object, access aninventory of a plurality of stored checksums in a memory element, andcompare the checksum to the plurality of stored checksums; and deny theexecution of the object if it is not authorized; wherein the securitylayer is configured to operate in a kernel of a privileged domain of acomputer configured to operate in a virtual machine environment, whereinthe privileged domain of the computer is configured to manage a virtualmachine monitor (VMM) and operate at a higher priority than one or moreguest operating systems.
 14. The apparatus of claim 13, wherein thevirtual machine element is further configured to: evaluate a pluralityof entries within the memory element of the computer, wherein theentries include authorized binaries and kernel modules.
 15. Theapparatus of claim 13, wherein the virtual machine element is furtherconfigured to: intercept an attempt from a remote computer to executecode from a previously authorized binary; and evaluate an originationaddress of a hypercall associated with the code before executing thecode.
 16. The apparatus of claim 13, wherein the object is a kernelmodule or a binary.
 17. The apparatus of claim 13, wherein the object isa kernel module that is interacting with a hypercall, which attempts toaccess one or more privileged domain areas within the computer.